Snort mailing list archives
Multi Flow Alert
From: Curt Shaffer <cshaffer () gmail com>
Date: Wed, 13 Jan 2010 10:33:16 -0500
I need to write a rule that will alert if I see the following characteristics. Client establishes port 80 traffic to IP address A. Immediately after the response of that flow, the same client establishes an SSL session 443 to the same destination. I know this has potential for false positives as redirection is pretty common but if I can create a variable like MALWARE_C2C with a list of known IPs that this shouldn't happen to or possibly KNOWN_RDIR hosts to keep a simple whitelist rather than blacklist. Is this possible with Snort to alert across multiple flows. If so can someone point me to some documentation on the directives needed or give a simple example? Thanks ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Multi Flow Alert Curt Shaffer (Jan 13)
- Re: Multi Flow Alert Matt Olney (Jan 13)